I'm currently collecting Powershell event 4104 across all devices on the network and one sysadmin host has been found to be exceptionally chatty. I would like to blacklist event 4104 on that box while allowing it on all the rest. I've added the event id to the blacklist in the offending machine's etc/system/local/inputs.conf, as it should take precedence over the app's inputs.conf file, but I'm still receiving events. Can someone point me in the right direction?
↧